---
title: Nautilus
description: Run secure, off-chain logic in trusted execution environments (TEEs), and verify it on-chain to trigger safe smart contract workflows.
---

Nautilus is a framework for secure and verifiable off-chain computation on Sui. It enables builders to delegate sensitive or resource-intensive tasks to a self-managed [trusted execution environment (TEE)](https://en.wikipedia.org/wiki/Trusted_execution_environment) while preserving trust on-chain through smart contract-based verification.

Nautilus supports hybrid decentralized applications (dApps) that require:
- Private data handling
- Complex computations
- Integration with external (Web2) systems

The framework ensures computations are tamper-resistant, isolated, and cryptographically verifiable.

It currently supports self-managed [AWS Nitro Enclave TEEs](https://aws.amazon.com/ec2/nitro/nitro-enclaves/). Developers can verify AWS-signed enclave attestations on-chain using Sui smart contracts written in Move. Refer to the [Github repo](https://github.com/MystenLabs/nautilus) for the reproducible build template.

## Features

A Nautilus application consists of 2 components:

- **Off-chain server:** Runs inside a TEE (like AWS Nitro Enclaves) and handles computations like user input processing or scheduled tasks.
- **On-chain smart contract**: Written in Move, verifies TEE attestations before executing transactions.

:::info

Initial support for AWS Nitro Enclaves is due to its maturity and reproducibility. Additional TEE providers might become available in the future.

:::

### How it works

- Deploy the off-chain server to a self-managed TEE, such as AWS Nitro Enclaves. You have the option of using the [available reproducible build template](https://github.com/MystenLabs/nautilus).
- The TEE generates a cryptographic attestation that proves the integrity of the execution environment.
- Sui smart contracts verify the attestation on-chain before accepting the TEE output.
- The integrity of the TEE is auditable and anchored by the provider's root of trust.

Refer to [Nautilus Design](nautilus/nautilus-design.mdx) and [Using Nautilus](nautilus/using-nautilus.mdx) for details.

:::important

The [provided reproducible build template](https://github.com/MystenLabs/nautilus) is intended as a starting point for building your own enclave. It is not feature complete, has not undergone a security audit, and is offered as a modification-friendly reference licensed under the Apache 2.0 license. THE TEMPLATE AND ITS RELATED DOCUMENTATION ARE PROVIDED `AS IS` WITHOUT WARRANTY OF ANY KIND FOR EVALUATION PURPOSES ONLY.
You can adapt and extend it to fit your specific use case.

:::

## Use cases

Nautilus supports several Web3 use cases for trustworthy and verifiable off-chain computation. Some examples include:

- **Trusted oracles**: Process off-chain data from Web2 services (weather, sports, financial data) or decentralized storage platforms like [Walrus](https://walrus.xyz) in a tamper-resistant way.
- **AI agents:** Nautilus is ideal for securely running AI models for inference or to execute agentic workflows to produce actionable outcomes, while providing data and model provenance on-chain.
- **DePIN solutions:** DePIN (Decentralized Physical Infrastructure) can leverage Nautilus for private data computation in IoT and supply chain networks.
- **Fraud prevention in multi-party systems:** Decentralized exchanges (DEXs) could use Nautilus for order matching and settlement, or layer-2 solutions could prevent collision and fraud by securely running computations between untrusted parties.
- **Identity management:** Nautilus can provide solutions in the identity management space that require on-chain verifiability for decentralized governance and proof of tamper resistance.

When used together, Nautilus and [Seal](https://github.com/MystenLabs/seal) enable powerful privacy-preserving use cases by combining secure and verifiable computation with secure key access. A common challenge with TEEs is persisting secret keys across restarts and different machines. Seal can address this by securely storing long-term keys and granting access only to properly attested TEEs. In this model, Nautilus handles computation over the encrypted data, while Seal controls key access. Applications that require a shared encrypted state can use both tools to privately process user requests and update encrypted data on public networks.

## Future plans and non-goals

Nautilus will support additional TEE providers in the future. Your suggestions on which platforms to prioritize or support is greatly appreciated. Contact the Nautilus team on [Sui Discord](https://discord.com/channels/916379725201563759/1361500579603546223).

<ImportContent source="contact-nautilus.mdx" mode="snippet" />

Nautilus does not have a native, readily usable TEE network. Nautilus partners might provide such TEE networks, however. Apart from such networks, you are encouraged to deploy and manage your own TEEs for running off-chain Nautilus servers.